CVE-2025-61959 | THREATINT

Description

Prior to September 19, 2025, the Hospital Manager Backend Services returned verbose ASP.NET error pages for invalid WebResource.axd requests, disclosing framework and ASP.NET version information, stack traces, internal paths, and the insecure configuration 'customErrors mode="Off"', which could have facilitated reconnaissance by unauthenticated attackers.

PUBLISHED Reserved 2025-10-08 | Published 2025-10-29 | Updated 2025-10-29 | Assigner icscert

MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Problem types

CWE-209 Generation of Error Message Containing Sensitive Information

Product status

Default status

unaffected

Any version

affected

Credits

Pundhapat Sichamnong reported these vulnerabilities to CISA. finder

References

www.cisa.gov/...vents/ics-medical-advisories/icsma-25-301-01

www.vertikalsystems.com/en/products/pm/contact.php

cve.org (CVE-2025-61959)

nvd.nist.gov (CVE-2025-61959)

Download JSON